Glossary of Terms
Adaptive Chosen Message Attack
In an adaptive chosen message attack, the attacker makes a query and
then adaptively chooses its next query based on the the answer to the
previous query. An Interrogative Adversary can mount such an attack by repeatedly asking a Web server to
mint or verify authenticators.
This is a cryptographic property. A system that provides authentication
ensures that a person sending or receiving data is, in fact, who
they claim to be. Not to be confused with confidentiality.
A symbol or group of symbols, or a series of bits, selected or
determined in a prearranged manner and usually inserted at a
prearranged point in a message or transmission in order to determine
the validity of the message or transmission or the identity or
eligibility of an individual or entity. Cookies are often
used as authenticators in client authentication schemes
on the web.
This adversary can see and modify all traffic between the user and the
server and mount man-in-the-middle attacks. In the real world, this
situation might arise if the adversary controls a proxy service between
the user and the server. This is an extremely strong adversary who
is very difficult to defend against.
This property is not strictly related to authentication but it is worth defining since it can be provided by
cryptography and since it is often confused with authentication. A
system that provides confidentiality protects traffic from disclosure
by anyone except the sender and the recipient. In contrast, a
system that provides authentication ensures that the person sending
or receiving the data is indeed who they claim to be. This confusion
is increased by SSL which provides options for
both confidentiality and authentication. In addition, browsers have
the current practice of displaying a single padlock for "security"
whose meaning is ambiguous.
A piece of state information, more specifically a key/value pair, which
can be stored on a client machine. The cookie is returned in subsequent
requests by the server. Cookies are further described in the
Netscape Cookie Specification.
This is the password encryption function on UNIX systems. It is based
on the Data Encryption Standard algorithm with some variations. Crypt
has some quirks, such as the fact that it only operates on the first
eight characters of input which make it a poor choice for generalized
encryption or message authentication codes.
This adversary can see all traffic between users and the server, but
cannot modify any packets flowing across the network. That is, the
adversary can sniff the network and replay authenticators. This
adversary also has all the abilities of the Interrogative Adversary.
A cookie, also called a temporary cookie which is only stored in the browser's memory and
disappears when the user exits the browser.
The adversary can forge an authenticator
for at least one user. However, the adversary cannot choose the
user. This may be most interesting in the case where authenticators
protect access to a subscription service. While an existential
forgery would not give an adversary access to a chosen user's account,
it would allow the adversary to access content without paying for it.
This is the least harmful kind of forgery.
HTTP Basic Authentication
This is one of the authentication mechanisms mentioned in the HTTP
specification. Basic Authentication requires the client to send a
username and password in the clear as part of the HTTP request. This
pair is typically present preemptively in all HTTP requests for content
in subdirectories of the original request. Basic authentication is
vulnerable to an Eavesdropping Adversary It also does not provide guaranteed expiration (or logout), and
repeatedly exposes a user's long term authenticator.
HTTP Digest Authentication
This is newer form of HTTP authentication which is based on the same
concept as basic authentication.
However, this system does not transmit cleartext passwords. The client
sends a cryptographic hash (usually MD5) of the username, password,
a server-provided nonce, the HTTP method and the URL. The security of
this protocol is discussed extensively in RFC 2617. Digest authentication enjoys very little
client support, even though it is supported by the popular Apache
An adversary with no special access to the network (in comparison to
the eavesdropping and active adversary). This adversary, who in most
cases is potentially any user, can adaptively query a web
server a reasonable number of times in order to gain information about the site.
see Eavesdropping Adversary
This is a cookie which is written to a file on
the user's system. Persistent cookies files are often accessible over
the Internet through certain queries to search engines. If such a
cookie contains an authenticator, an
adversary can simply copy the cookie and break into the user's account.
In addition, if the account is accessed from a public system, any
subsequent user of that system can access the account. As a result,
persistent cookies should not be considered private and authenticators
should not be stored in them.
Short for Public Key Infrastructure, a system of digital certificates,
Certificate Authorities, and other registration authorities which
verify and authenticate the validity of each party involved in an
Internet transaction. PKIs are currently evolving and there is no
single PKI nor even a single agreed-upon standard for setting up a PKI.
However, nearly everyone agrees that reliable PKIs are necessary before
electronic commerce can become widespread. From webopedia. The lack of a globally accepted PKI is
one the reasons the use of SSL Client Authentication
is not widespread.
IETF work on PKI is described here and there is also lots of information here.
The adversary can forge an authenticator
for a particular user. This adversary can access any chosen user's
personalized content, be it Web e-mail or bank statements.
The Secure Sockets Layer (SSL) protocol is a strong authentication
system which provides confidentiality, integrity, and optionally
authentication at the transport level. It is standardized as the
Transport Layer Security(TLS) protocol. HTTP runs on top of SSL, which provides all the
cryptographic strength. SSL achieves authentication via public-key
cryptography in X.509 certificates and requires a public key
infrastructure (PKI). This requirement is the main difficulty in using
SSL for authentication -- currently there is no global PKI, nor is there likely to be one anytime soon. In addition, SSL decreases Web server
performance and often provides more functionality than most applications
See Ephemeral Cookie.
This results in the recovery, by the adversary, of the secret key
used to mint authenticators. This is
the most serious break in that it allows the adversary to construct
valid authenticators at any time for all users.